I'm glad it's rare, because it sure sounds evil.

Users could be infected with the Trojan either from a drive-by download, which can infect a PC by exploiting a vulnerability in a browser, or by being duped into downloading it, Canja said.

When it runs on a PC, it registers itself in Firefox's system files as "Greasemonkey," a well-known collection of scripts that add extra functionality to Web pages rendered by Firefox.

I always go for the "Never for this site" option on sites related to banking, domain registrations, web hosting, etc.

yeah, you should all get a program called Keepass www.keepass.info

It's free and pretty cool. Use it to generate and securely store super-long passwords, need to remember only one password to access this program and you just copy paste from it to whatever site you need to log into for.

Something for serious consideration by those Webmasters who consider users who disable JavaScript to be paranoid, ill-informed, or Luddites...

Jim

sits in Firefox's add-ons folder

Where is that dir/ I do not see it in my FF?

Most seasoned Firefox users already use NoScript which renders this a moot issue.

I moving towards using a VM browser appliance, and just resetting the state after every session.

I haven't worked out all the kinks yet (not sure what OS I'm going to use as a base, what exact extensions, details stuff), but it's a nice system. So long as I have VMWare player (which is free) on any given machine, I can access my browser, with my settings, from pretty much anywhere (storing the VM centrally on a space I can access from anywhere with a net connection).

Sounds complicated, but only from a setup point of view. Once it's all in place, it's quite easy to use. The VM runs locally, so I'm not inducing extra lag, and the security aspects are rock solid.

The other option is to put the whole appliance on a USB stick, which I might do. The problem with USB sticks is I'm always forgetting to grab it on the way out the door in the morning.

a VM browser appliance

I've used this one, which is pretty nifty right out of the box.

[vmware.com ]

Most seasoned Firefox users already use NoScript

Not according to any web server logs in my experience.

sits in Firefox's add-ons folder

Where is that dir/ I do not see it in my FF?

I suspect that it would be in
\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<profile-string>\extensions
on Windows XP, but I haven't found an authoritative source for this info yet.

If anyone is running a legitimate install of GreaseMonkey and can confirm this, I'd appreciate it!

Jim

[edited by: jdMorgan at 10:44 pm (utc) on Dec. 5, 2008]

Thanks,
But I do not have the same setting

\Documents and Settings\<username>\Application Data\

No Application Data in <username>

Oops, sorry...

You will need to set "Tools->Folder Options->View->Show hidden files and folders" in Windows Explorer to see this and other folders.

Jim

I've used this one, which is pretty nifty right out of the box.

[vmware.com...]

I'd tried it, but it has dog-old versions of both Ubuntu and FF - Ub5.10 and FF1.0 respectively. I'd like to be using Ub8.04 and FF3.0 (Ub 8.10 has "issues" in how it declares the Linux kernel to VMware).

Mostly, it's a matter of making sure I have all my key favorite add-ons installed, and stripping as much as possible out of Ubuntu (to keep weight to a minimum), before establishing the snapshot point.

It's a good system. I think HP is distributing a custom Browser appliance with some of their desktop machines now. Not that the average business user will have a clue how to use it, or the inclination to try.

jdMorgan,
I am the sorry one, should have thought about "hidden"
guess I do not use Wins that much :)

If I am correct the path is:
app data/FF/profile/"bunch of alpha numerical"/default/extensions/

I've got Greasemonkey installed (the legitimate one) and I don't see the character string "greasemonkey" anywhere in these directories:
C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<profilename>\extensions.
C:\Documents and Settings\<username>\Application Data\Mozilla\Extensions
C:\Program Files\Mozilla Firefox

Actual scripts that use Greasemonkey have filenames like Firefox+Greasemonkey+Scripts.html.svn-work - those files aren't Greasemonkey itself, but scripts that use it. There is also a folder in ...Firefox\Profiles called gm_scripts but that's about it.

I'm beginning to think that a file actually named "greasemonkey" must be this trojan, using a handy name to hide from the more tech-savvy Firefox user.

<added>
I'm also getting frustrated with the technology "reporting" around this. All the articles keep calling it Friefox's "add-on" directory. There's no such thing. Give us something helpful here, will ya?

I'm also getting frustrated with the technology "reporting" around this. All the articles keep calling it Friefox's "add-on" directory. There's no such thing. Give us something helpful here, will ya?

I forgot mentioning that I performed a thorough search and did not find any
Add-ons (supposed to read with an “S”) neither did I find a “gresemonkey” which I believe is fine!
Perhaps as you mentioned, that malware when "installed" create a dir/ add-ons and that greasemonkey thing?

Tedster,

The reporting problem is likely due to the use of the term "Add-ons" in the Firefox Tools menu, which then refers to functional extensions and themes in the \Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles\<profilename>\extensions directory.

So it's not all the reporters' faults, because Firefox uses multiple terms for the same thing.

I'm wondering if you also have SeaMonkey or the old Mozilla Suite (non-Firefox plain-old-Mozilla browser) installed on your machine. If so, that program is likely the one that "owns" the files in the \Documents and Settings\<username>\Application Data\Mozilla\Extensions path; Mozilla and Firefox "share" the common \Documents and Settings\<username>\Application Data\Mozilla\ path, and then split off -- with Firefox using a different and 'deeper' directory structure from that point on.

In my case, the names of the files in these \Extensions folders look like this one (for the Noia Firefox Theme):

{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}

although I see one named

cheeaun(at)phoenity.com

for the Firefox Phoenity theme, indicating that the extensions filenames are not required to be in a fixed-format. (Another possibility in that chee aun is the only theme author who specified a theme directory name in his build, while the others are Windows- or installer- generated default-names.)

The executable extensions I have installed all follow the format shown above for the Noia theme -- a string made up of hexadecimal number groups separated by commas, with the whole enclosed in squiggly-brackets.

For those joining us late, GreaseMonkey is a perfectly-legitimate piece of software that creates a JavaScript "page wrapper" in the browser to allow you (the browser user) to modify many, many aspects of the presentation of the Web pages that you visit. The "Trojan.PWS.ChromeInject.A" malware being discussed here is pretending to be related to GreaseMonkey, and we're trying to figure out exactly where to look in the Windows filesystem to check for the presence of this malware because the reporting so far has been far too vague.

Jim

bidender has updated some info

it inserts an exec as a FF3 plugin
and the Trojan (JS) in chrome/
<edit>Typo and add on</edit>

Great, now we've got three names for these things... Add-ons, extensions, and plug-ins! :(

BitDefender Information for Trojan.PWS.ChromeInject.B [bitdefender.com], detected as Trojan.PWS.ChromeInject.A

Jim

{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}

cheeaun(at)phoenity.com

I've got three with that second format - including YSlow which depends on Firebug. Makes me wonder if the naming difference is about dependent add-ons.

From that new link to BitDefender:

It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively.

Lots of other footprints mentioned as well for the trojan. That's a lot more helpful, even with three different names.

(reminds me of "reload vs. refresh", "internet shortcuts" and all the
other alternative jargon that was created during the first browser wars.)

Phoenity is just a Theme. I don't think it has any dependencies -- at least none that other Themes would not also have.

Reload/Refresh, Bookmark/Favorite, Subdirectory/Folder, Plug-in/Extension/Add-on -- How much time and money has been wasted because of confusing alternative/redundant terminology inspired by "not invented here" syndrome? :(

Jim

I have a new toy :)
Saturday NY times had a very good article [nytimes.com] on web based stolen money
And high praise for the Security researchers at SRI international
They have developed a highly thorough Bothunter program
Available from [bothunter.net...]
I am running it now and will report later.

For a Wins machine please read first about info that you are required to gather prior to install: IP, submask and other goodies

[edited by: tedster at 8:57 pm (utc) on Dec. 7, 2008]
[edit reason] I added the links [/edit]

Well, it runs fine.

If you opt for automated updates you need to open
TCP port 5242 & 6282

Only slight draw back on a my test machine (web surf dedicated) which is a few years old and not among the most powerful, running BotHunter plus a couple of tabs, email, words and my UltraEdit editor seems to slow down slightly the operations.

Instead of VM, use SandboxIE.